TLS sites using TLSv1.3 draft 23 may be reset when inspected by the SSLV

book

Article ID: 171172

calendar_today

Updated On:

Products

SSL Visibility Appliance Software

Issue/Introduction

The RFC for TLSv1.3 is currently in a draft phase. Field trials of draft 23 have started recently in certain browsers and this may result in flows being reset when being inspected by the SSLV. 

Version 3.x

SSLV version 3.x by default cuts through TLSv1.3 flows. There should not be any issues with draft 23.

Version 4.x

SSLV versions up to 4.2.2.x will record a "Missing Extension" error in the session log and the flow will be reset or browsing you will receive this error message "ERR_SSL_VERSION_INTERFERENCE"

Cause

As the RFC for TLSv1.3 is in a draft phase new extensions can be added or changed. When a particular SSLV version is released it supports up to the current working TLSv1.3 draft version, but any further drafts may not be supported. 

Resolution

Version 3.x

No specific solution exists for SSLV 3.x versions, but it is recommended to run the latest.

Version 4.x

SSLV version 4.2.3.1 supports TLSv1.3 drafts 18-23. To avoid any interoperability issues it is recommended to upgrade to this version.